Enforce stricter permissions on GitHub actions

2025-07-31 03:07:34 +02:00 · 2024-05-06 11:18:48 +02:00
parent 9fabc69ba9
commit 3473611b90
2 changed files with 23 additions and 4 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -25,8 +25,7 @@ jobs:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}

    permissions:
-      actions: read
-      contents: read
+      # Only allow write for security, then all others default to read only
      security-events: write

    strategy:
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@ -21,7 +21,8 @@ jobs:
    # Environment image - always use the newest OS
    runs-on: ubuntu-latest
    permissions:
-      contents: write
+      # With at least one permission given, all default to read
+      contents: read

    # Run steps
    steps:
@ -42,6 +43,25 @@ jobs:
        # ignore snapshot updates, because they are likely to have breaking changes, enforce checksums
        run: mvn test --batch-mode --threads 2.0C --no-snapshot-updates --strict-checksums --file pom.xml

-      - name: Update dependency graph
+  dependency:
+    runs-on: ubuntu-latest
+    permissions:
+      # Write only necessary for dependency submission all others then default to read
+      contents: write
+
+    # Run steps
+    steps:
+      # Pull changes
+      - uses: actions/checkout@v4
+
+      # Setup Java
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version-file: '.java-version'
+          cache: 'maven'
+
+      - name: Submit Dependency Snapshot
        if: ${{ github.event_name == 'push' }}
        uses: advanced-security/maven-dependency-submission-action@v4.0.3